Aetna, KCC embroiled in legal battle over HIV disclosure mailing

Where is the future of patient data privacy? The reality is that it doesn’t and cannot exist anymore. No lawsuit will fix this systemic plague of rogue, hacked or accidental data leakage until a holistic and integrated policy drives restructure.

The plot of the Aetna-HIV status fiasco is thickening.

The Hartford, Connecticut health insurer has sued claims administrator Kurtzman Carson Consultants — otherwise known as the company that was tasked with sending settlement notices to 12,000 Aetna members, according to Reuters.

The mailing addressed patient privacy concerns that arose after two lawsuits filed against the insurer in 2014 and 2015. Although Aetna proposed customers receive HIV medications from mail-order pharmacies, many objected, citing potential privacy problems. Aetna agreed to allow members to fill HIV prescriptions at their pharmacies, and sent letters to inform them of the settlement.

Shortly thereafter, the AIDS Law Project of Pennsylvania, the Legal Action Center and Berger & Montague filed a lawsuit on the matter. The complaint states that Aetna “carelessly, recklessly, negligently, and impermissibly revealed HIV-related information of their current and former insureds to their family, friends, roommates, landlords, neighbors, mail carriers and complete strangers.”

Since then, Aetna has agreed to pay big bucks for the mistake, including a $17 million settlement. It also said it will pay the state of New York a $1.15 million fine regarding the HIV mailing situation, reports Reuters.

Earlier this week, the Connecticut-based health insurer issued a lawsuit of its own against Kurtzman Carson Consultants for at least $20 million.

According to the complaint, KCC didn’t inform Aetna that it would use windowed envelopes to send the mailing and didn’t show a final version of the notice and envelope to Aetna. Additionally, the insurer wants KCC to return the private data (obtained from Aetna’s insurers) that identifies members who received the mailing.

The complaint also alleges that KCC has refused to defend Aetna and return the confidential information.

Shortly thereafter, KCC fired back with a lawsuit against Aetna, according to Reuters.

The suit alleges Aetna and its law firm, Gibson, Dunn & Crutcher, did not keep Aetna members’ protected health information safe. Only Aetna is listed as a plaintiff in the lawsuit, but the complaint references Gibson’s role and actions on Aetna’s behalf.

The complaint says Aetna and Gibson knew that windowed envelopes were being used for the mailing, and that “KCC provided samples of the letters to Aetna and Gibson, and those letters demonstrated that windowed envelopes would be used.” It also claims Aetna and Gibson shared unencrypted PHI with KCC and gave KCC more data than was necessary to deliver the notice.

Aetna, KCC and Gibson each did not immediately respond to a request for comment.